1--- 2c: Copyright (C) Daniel Stenberg, <daniel.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_ISSUERCERT_BLOB 5Section: 3 6Source: libcurl 7See-also: 8 - CURLOPT_CRLFILE (3) 9 - CURLOPT_ISSUERCERT (3) 10 - CURLOPT_SSL_VERIFYHOST (3) 11 - CURLOPT_SSL_VERIFYPEER (3) 12--- 13 14# NAME 15 16CURLOPT_ISSUERCERT_BLOB - issuer SSL certificate from memory blob 17 18# SYNOPSIS 19 20~~~c 21#include <curl/curl.h> 22 23CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ISSUERCERT_BLOB, 24 struct curl_blob *stblob); 25~~~ 26 27# DESCRIPTION 28 29Pass a pointer to a curl_blob structure, which contains information (pointer 30and size) about a memory block with binary data of a CA certificate in PEM 31format. If the option is set, an additional check against the peer certificate 32is performed to verify the issuer is indeed the one associated with the 33certificate provided by the option. This additional check is useful in 34multi-level PKI where one needs to enforce that the peer certificate is from a 35specific branch of the tree. 36 37This option should be used in combination with the 38CURLOPT_SSL_VERIFYPEER(3) option. Otherwise, the result of the check is 39not considered as failure. 40 41A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option, 42which is returned if the setup of the SSL/TLS session has failed due to a 43mismatch with the issuer of peer certificate (CURLOPT_SSL_VERIFYPEER(3) 44has to be set too for the check to fail). 45 46If the blob is initialized with the flags member of struct curl_blob set to 47CURL_BLOB_COPY, the application does not have to keep the buffer around after 48setting this. 49 50This option is an alternative to CURLOPT_ISSUERCERT(3) which instead 51expects a filename as input. 52 53# DEFAULT 54 55NULL 56 57# PROTOCOLS 58 59All TLS-based protocols 60 61# EXAMPLE 62 63~~~c 64 65extern char *certificateData; 66extern size_t filesize; 67 68int main(void) 69{ 70 CURL *curl = curl_easy_init(); 71 if(curl) { 72 CURLcode res; 73 struct curl_blob blob; 74 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); 75 blob.data = certificateData; 76 blob.len = filesize; 77 blob.flags = CURL_BLOB_COPY; 78 curl_easy_setopt(curl, CURLOPT_ISSUERCERT_BLOB, &blob); 79 res = curl_easy_perform(curl); 80 curl_easy_cleanup(curl); 81 } 82} 83~~~ 84 85# AVAILABILITY 86 87Added in 7.71.0. This option is supported by the OpenSSL backends. 88 89# RETURN VALUE 90 91Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or 92CURLE_OUT_OF_MEMORY if there was insufficient heap space. 93